On Thu, 2007-06-14 at 07:00 -0400, Adam Tauno Williams wrote:
> > > Sure they do; we've had an LDAP "business directory" (whatever that
> > > means) for years and years. And I've yet to have to do a subtree rename
> > > - because we don't use hierarchy when hierarchy provides no benefit and
> > > you can accomplish the same thing with filters.
> > Thanks for sharing experience!
> > Can I know if there is a reason to use any kind of hierarchy structure
> > at all? Well I already know one, ease of replication (certain subtree
> > can be on a different server), is there any other?
>
> When it facilitates replication, access control, or partitioning. Which
> have already been listed.
>
> > If there is no good reason or situation where we should prefer hierarchy
> > structure, I got a good lesson to learn this time. I was a bit "mislead"
> > because I read no less then 5 reference implementation (googled from
> > online, some are university implementation for students record etc )
> > before starting ours and they all use hierarchy structure. Maybe that's
> > because they considered this first, that a university is unlikely to
> > rename, but they probably also have other reasons to prefer hierarchy
> > structure.
>
> In the case of a University I can see separating staff from students
> since you might need to replicate student information to different
> server, they might be partitioned, and they certainly have different
> access controls.
>
> > > > In this case people might also suggest we should start from a relational
> > > > database but 1) our data is truly mostly read: ratio of read and write
> > > > is close to 1000/1 and I think this qualify LDAP definition; 2) our data
> > > > should be used by a lot of difficult situation (scripts to generate
> > > > report lists, web application, client PIM software, variable data
> > > > publication etc) and using standard interface like LDAP can greatly help
> > > > ease the implementations.
> > > I don't see the point or what you mean by #2 at all. SQL isn't a
> > > standard?
> > I just need to explain my situation (scripts to generate report lists,
> > web application, client PIM software, variable data publication etc) to
> > a much more detailed example so you get me. SQL is standard, it is
> > standard to this extent:
> > I. if we use SQL, after web application is done, next task is to
> > design a plug-in for Outlook so that they can access the
> > business directory, for the plug-in to work I need to dig into
> > MS Office SDK and learn XML-rpc and provide something on the
> > server end to handle the XML-RPC and convert to SQL statement to
> > sort out the result.
>
> Have you actually tested - in real life - using LDAP from Outlook?
> Don't assume that "supports LDAP" means everything will just work. You
> may very well discover that the data you need doesn't appear. And you
> do know that LDAP in Outlook is *read only*? Users cannot modify
> anything.
Thanks for the info but I do know in real life how to use LDAP from
Outlook as well as Outlook Express and know it's read-only. I don't use
it everyday because I prefer evolution on our SuSE workstations. My
users use it to enter email addresses and lookup telephone numbers. They
know they need to login to the web application to maintain the data. In
real life having read-access is better than telling my user that Outlook
integration doesn't exist and please go to the website to find his email
address: as I said, the read/write ratio is close to 1000/1. Also
Outlook users are mostly really read-only users, in 50 users, only 1
have any kind of write access to the system.
>
> > II. After this is done, next task is to design a plugin that work
> > with Lotus Notes.
>
> If you have Lotus Notes why don't you just use Lotus Notes? It sounds
> in part like what you want is a groupware server - LDAP makes a
> genuinely crappy groupware / collaboration solution.
Same as above. Lotus Notes have native address book feature, far from
the requirement of a real business directory we are running. I worked on
this business directory project for two years and I'd be shocked if
someone tell me Lotus Notes own feature is equal to my two years work on
it.
>
> > III. And after that, for variable data publication to work, a plugin
> > for publication design software is needed to fetch data from a
> > server (probably can handle XML-RPC) which in turn run SQL
> > statements. Next task is to consider security issues of all
> > these plug-ins.
>
> It isn't that hard to provide LDAP access to an SQL database if you have
> some proprietary package ("publication design software"?) that can
> already use LDAP. I'm pretty certain Exchange and Lotus Notes already
> provide LDAP access to data.
Doesn't make good sense to me. OpenOffice can generate 1000
address-pre-filled envelops from LDAP database and get them printed in
one day without help of developer (just telephone support is okay). This
is an advantage. My user want envelops, they don't want to hear we need
a developer, a proprietary package to buy from vendor ABC or an Exchange
server in order to print envelops.
>
> > IV. Other small cases: e.g. someone need a report that made up out
> > of the list of 30 most recently updated records. For security
> > reasons I don't open SQL access directly to this person who I
> > don't know before, so I have to write a script on SQL server
> > that give him raw data needed for the report. (in case of LDAP,
> > he can connect to the LDAP server with any tool he like to use,
> > and he don't even need to call me to let me know he is working
> > on a report because he can use the same identity to login as he
> > login with Outlook)
>
> You need to try using a modern SQL RDMBS; access can be granted /
> restricted with nearly as much granularity as in LDAP. I think your
> idea is good in theory but how do you intend to query for the "list of
> 30 most recently updated records". The available LDAP tools ["with any
> tool he like to use"] are mostly quite primitive and certain not in the
> least end-user friendly.
By "I don't open SQL access directly to this person" you know this time
I am referring to a technical guy. I have listed situation for many
group of users, but wasn't detail enough to let you understand. My users
are:
I. System supervisors who have full access to all data and audit
all modifications by other people;
II. Operators who calls contact persons to recap their contact
information;
III. Company representatives who update their contact information on
the website on their own with the username and password they got
from mails; only have write access within their company;
IV. PIM software users who lookup information (limited set of
information by using ACL);
V. Privileged users who can access a lot of detain information
(favorite drink of a person) from web application but have no
write access at all.
VI. Marketing users who wish to print labels and envelops at least
cost and fastest speed (yes they don't wish to buy a software to
print them, we send these users copies of OpenOffice);
VII. Special marketing users who use contact information for really
complicated variable data publication (they use professional
design software and is willing to pay for proprietary plug-ins
and can wait for it for months);
VIII. Occasional users who need to develop a special product using the
data or have special use of the data (my case story IV)
God, we are almost a live example of how directory service should
satisfy users!
---
You are currently subscribed to ldap@umich.edu as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
